├── LICENSE
├── README.md
└── docs
├── CLOUD.md
├── CODE.md
├── DEPLOYMENT.md
├── DNS.md
├── EVERYTHING.md
├── HARDWARE.md
├── INTEGRATION.md
├── LOCAL.md
├── PEOPLE.md
├── RUNTIME.md
├── SERVICES.md
└── images
├── .DS_Store
├── Software-Supply-Chain-Visualization.png
├── akamai.svg
├── alibaba-cloud.png
├── amazon-linux-logo.png
├── amazon-linux.png
├── angular.svg
├── apache.svg
├── aspnet.png
├── atom.png
├── aws-api-gateway.svg
├── aws-cognito.svg
├── aws.svg
├── azure-devops.svg
├── azure-repos.png
├── azure.svg
├── babel.svg
├── bamboo.png
├── bitbucket.svg
├── braintree.png
├── buildkite.png
├── clearcase.png
├── cloud-ssc.png
├── cloudflare.svg
├── cloudfront.svg
├── codecommit.png
├── collaborators-github.png
├── collaborators-github2.png
├── composer.png
├── contentful.svg
├── cplusplus.png
├── crunchbase.png
├── csharp.png
├── deployment-ssc.png
├── django.svg
├── dns-ssc.png
├── docker.png
├── drupal.svg
├── express.svg
├── facebook.svg
├── fastapi.svg
├── fastly.svg
├── firebase.svg
├── flywheel.svg
├── freebsd.png
├── git.svg
├── gitea.png
├── github-visualizing-software-supply-chain.jpeg
├── github.svg
├── gitlab.svg
├── glassfish.png
├── go.svg
├── google-analytics.svg
├── google-cloud.svg
├── hardware-ssc.png
├── hotjar.svg
├── hubspot.svg
├── integration-ssc.png
├── java.svg
├── javascript.svg
├── jenkins.svg
├── joomla.png
├── jquery.svg
├── kinsta.svg
├── knockout.svg
├── kubernetes.svg
├── laravel.svg
├── linkedin.svg
├── linux.svg
├── local-ssc.png
├── lodash.svg
├── lua.svg
├── magento.svg
├── mailchimp.svg
├── marketo.svg
├── maven.svg
├── mercurial.png
├── microsoft-iis-logo.png
├── microsoft-sql-server-logo.svg
├── mixpanel.png
├── moment-js.svg
├── mysql.svg
├── netcore.svg
├── next-js.svg
├── nginx.svg
├── npm.png
├── nuget.png
├── nuxt-js.svg
├── octopus-deploy.png
├── octopus-deploy.svg
├── packagist.png
├── paypal.svg
├── peakhour.png
├── people-ssc.png
├── php.svg
├── postgres.svg
├── pypi.png
├── python.svg
├── react.svg
├── redhat.png
├── redhat.svg
├── redis.svg
├── require-js.svg
├── ruby-on-rails.svg
├── ruby.svg
├── runtime-ssc.png
├── rust.svg
├── segment.svg
├── services-ssc.png
├── slick.svg
├── source-code-ssc.png
├── square.jpeg
├── ssc-new-image.png
├── stripe.svg
├── swiper.svg
├── tailwind.svg
├── tomcat.svg
├── ubuntu.svg
├── underscore.svg
├── unix.svg
├── vercel.svg
├── vim.png
├── vscode.png
├── vue.svg
├── websphere.png
├── windows-server.svg
├── wordpress.svg
└── yarn.png
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2023 SecureStackCo
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 |
3 | The software supply chain is under increasing threat. New attacks and threats have popped up that we couldn't have imagined even two years ago. Total attacks on the software supply chain are increasing by more than [730% year on year since 2019](https://portswigger.net/daily-swig/researchers-find-633-increase-in-cyber-attacks-aimed-at-open-source-repositories)
4 |
5 | Unfortunately, there is no commonly accepted definition of what is in the software supply chain. This is a problem as we can't secure the software supply chain if we don't know what's in it. This project aims to help fix that by giving people a visual and contextual way to understand what specific components are in a particular software supply chain. If you want to tag your own components you can fork this repo and edit it to suit your specific software supply chain profiles. This repository takes advantage of the [DevSecOps Playbook](https://github.com/6mile/DevSecOps-Playbook) for the security control examples.
6 |
7 |
8 |
9 | ## The Software Supply Chain Stages
10 |
11 | | [People](docs/PEOPLE.md#people) | [Local Reqs](docs/LOCAL.md#local-requirements) | [Source Code](docs/CODE.md#source-code) | [Integration](docs/INTEGRATION.md#continuous-integration) | [Deployment](docs/DEPLOYMENT.md#continuous-deployment) | [Runtime](docs/RUNTIME.md#runtime) | [Hardware](docs/HARDWARE.md#hardware) | [DNS](docs/DNS.md#dns) | [Services](docs/SERVICES.md#services) | [Cloud](docs/CLOUD.md#cloud-resources)
12 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
13 | | | | | | | | | | | |
14 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
15 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
16 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
17 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
18 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
19 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
20 | | | | Proprietary Code | | Unit tests | | | | | |
21 | | | | | | | | | | | |
22 | | [People](docs/PEOPLE.md#people) | [Local Reqs](docs/LOCAL.md#local-requirements) | [Source Code](docs/CODE.md#source-code) | [Integration](docs/INTEGRATION.md#continuous-integration) | [Deployment](docs/DEPLOYMENT.md#continuous-deployment) | [Runtime](docs/RUNTIME.md#runtime) | [Hardware](docs/HARDWARE.md#hardware) | [DNS](docs/DNS.md#dns) | [Services](docs/SERVICES.md#services) | [Cloud](docs/CLOUD.md#cloud-resources)
23 |
24 |
25 |
26 | ## Welcome to the "Visualizing the Software Supply Chain" repository!
27 |
28 | You can click on any of the links above and see examples of components sorted by category. You can also see specific examples of technologies and vendors that fall into that category as well. Enjoy!
29 |
30 | If you want to see everything on one page, you can select [EVERYTHING](./docs/EVERYTHING.md)
31 |
--------------------------------------------------------------------------------
/docs/CLOUD.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## Cloud resources
21 |
22 | Cloud native resources refer to the tools, technologies, and infrastructure required to develop, deploy, and manage applications that are designed to run in a cloud environment. These resources typically include containerization platforms, orchestration frameworks, serverless computing, and other cloud-specific technologies.
23 |
24 | ### What's in scope?
25 |
26 | * PaaS
27 | * CDN
28 | * Cloud hosting providers
29 | * Cloud native resources
30 |
31 | ### Examples
32 |
33 | #### PaaS Examples
34 |
35 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## Source Code
21 |
22 | This includes any software that is needed to successfully write, build or deploy an application.
23 |
24 | ### What's in scope?
25 |
26 | * Programming languages
27 | * Frameworks
28 | * Libraries
29 | * Package managers
30 | * Open source components
31 | * Proprietary code
32 |
33 | ### Examples
34 |
35 | #### Programming Languages
36 |
37 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## Continuous deployment
21 |
22 | Continuous delivery is an extension of continuous integration that automatically deploys all code changes to a testing and/or production environment after the build stage. This means that in addition to automated testing, you have an automated release process, and can deploy your application at any time by clicking a button.
23 |
24 | ### What's in scope?
25 |
26 | * Build servers
27 | * Deployment platforms
28 | * Security tests
29 | * Functional tests
30 |
31 | ### Examples
32 |
33 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## DNS
21 |
22 | This includes any hostnames, or other DNS entries that any application needs.
23 |
24 | ### What's in scope?
25 |
26 | * DNS
27 |
28 | ### Examples
29 |
30 | app.example.org
31 |
32 | ### Who owns it?
33 |
34 | * CloudOps team
35 | * Operations team
36 |
37 | ### How do I secure it?
38 |
39 | *
40 |
--------------------------------------------------------------------------------
/docs/EVERYTHING.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## People
21 |
22 | These are the individuals or teams of people that are needed to write, build and deploy software.
23 |
24 | ### What's in scope?
25 |
26 | * Software engineers
27 | * QA team
28 | * DevOps team
29 |
30 | ### Examples
31 |
32 | #### Developers
33 |
34 | 
35 |
36 |
37 |
38 | ## Local Requirements
39 |
40 | This includes any local applications, configurations, or other dependencies that are needed to for the people building software to successfully do their job.
41 |
42 | ### What's in scope?
43 |
44 | * IDE
45 | * VCS tools
46 | * Local tests
47 |
48 | ### Examples
49 |
50 | #### IDE
51 |
52 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## Hardware
21 |
22 | This includes any specific or customized piece of hardware for this application to run.
23 |
24 | ### What's in scope?
25 |
26 | * Proprietary devices
27 | * Dedicated servers
28 |
29 | ### Examples
30 |
31 | Embedded devices, custom PCBs, GPUs
32 |
33 | ### Who owns it?
34 |
35 | * Operations team
36 | * Cloud provider
37 |
38 | ### What are the security concerns?
39 |
40 | * Hardware devices come with embedded software that is an attack vector
41 | * Theft of small portable devices like USB keys
42 | * Modification of the devices by malicious actors
43 |
44 | ### How do I secure it?
45 |
46 | * Buy from known supplier
47 | * Network analysis so you can detect malicious "phone home"
48 | * Physical isolation and/or network segmentation
49 |
--------------------------------------------------------------------------------
/docs/INTEGRATION.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## Continuous Integration
21 |
22 | Continuous integration (CI) is the process of automatically integrating code changes from multiple contributors into a single software project. This is an important DevOps best practice that enables developers to frequently merge code changes into a central repository for testing before deployment. Automated tools are used to check that the new code is correct before integration.
23 |
24 | ### What's in scope?
25 |
26 | * SCM providers
27 | * Pull requests
28 |
29 | ### Examples
30 |
31 | #### SCM Providers
32 |
33 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## Local Requirements
21 |
22 | This includes any local applications, configurations, or other dependencies that are needed to for the people building software to successfully do their job.
23 |
24 | ### What's in scope?
25 |
26 | * IDE
27 | * Source code versioning tools
28 | * Local tests
29 | * Local git repositories
30 | * Page builders
31 |
32 | ### Examples
33 |
34 | #### IDE
35 |
36 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## People
21 |
22 | These are the individuals or teams of people that are needed to write, build and deploy software.
23 |
24 | ### What's in scope?
25 |
26 | * Software engineers
27 | * QA engineers
28 | * DevOps team
29 | * Package maintainers
30 |
31 | ### Examples
32 |
33 | #### Developers
34 |
35 | 
36 |
37 | ### Who owns it?
38 |
39 | * Individual engineers
40 |
41 | ### What are the security concerns?
42 |
43 | * How do we help our software engineers see security as a "skill" not a burden?
44 | * Package maintainers are a high profile targets.
45 | * What security controls can we suggest that don't slow down devs?
46 | * Security awareness training needs to be ongoing, not once a year
47 | * Help devs understand that finding security issues early saves them significant time later
48 |
49 | ### How do I secure it?
50 |
51 | * Secure Code Training
52 | * Security chanpion mentoring
53 | * Peer code review
54 | * Threat modeling
55 |
56 |
--------------------------------------------------------------------------------
/docs/RUNTIME.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## Runtime
21 |
22 | The web application runtime is the environment in which a web application is executed. It typically includes the web server, the application server, and other necessary components such as databases, messaging systems, and caching mechanisms. The runtime is responsible for managing the application's resources, handling incoming requests, and returning responses to users.
23 |
24 | ### What's in scope
25 |
26 | * Operating systems
27 | * Webservers
28 | * Application servers
29 | * Content management systems
30 | * Web runtime engines
31 | * Databases
32 | * Containers, AMIs & golden images
33 |
34 | ### Examples
35 |
36 | #### Operating systems
37 |
38 |
2 |
3 | ## The Software Supply Chain Stages
4 |
5 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
6 | | :---------: | :----------: | :--------------: | :-----------: | :------------------: | :-----------------: | :---------: | :------: | :----------------: | :---------:
7 | | | | | | | | | | | |
8 | | Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
9 | | QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
10 | | DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | | Payment gateways | |
11 | | Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | | Identity Providers | |
12 | | | Page Builders | Packages | | Security tests | Web engines | | | Analytics | |
13 | | | | Open source | | API test frameworks | Databases | | | Proxies | |
14 | | | | Proprietary Code | | Unit tests | | | | | |
15 | | | | | | | | | | | |
16 | | [People](PEOPLE.md#people) | [Local Reqs](LOCAL.md#local-requirements) | [Source Code](CODE.md#source-code) | [Integration](INTEGRATION.md#continuous-integration) | [Deployment](DEPLOYMENT.md#continuous-deployment) | [Runtime](RUNTIME.md#runtime) | [Hardware](HARDWARE.md#hardware) | [DNS](DNS.md#dns) | [Services](SERVICES.md#services) | [Cloud](CLOUD.md#cloud-resources)
17 |
18 |
19 |
20 | ## Services
21 |
22 | This refers to the process of identifying and describing the external services that a application relies on in order to function properly. These third-party services can include anything from authentication and authorization services to payment processing and analytics tools.
23 |
24 | ### What's in scope?
25 |
26 | * third party SaaS solutions
27 | * third party APIs or data
28 | * payment processors/gateways
29 | * identity providers
30 | * analytics & tracking
31 |
32 | ### Examples
33 |
34 | #### Payment gateways & processors
35 |
36 |
6 |
7 |
8 |
9 |
22 |
--------------------------------------------------------------------------------
/docs/images/pypi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecureStackCo/visualizing-software-supply-chain/7e1ec21075c563855e8e2ec071f5e6103cfee216/docs/images/pypi.png
--------------------------------------------------------------------------------
/docs/images/python.svg:
--------------------------------------------------------------------------------
1 |
18 |
20 |
21 |
23 | image/svg+xml
24 |
28 |
29 |
30 |
56 |
58 |
59 |
70 |
--------------------------------------------------------------------------------
/docs/images/redis.svg:
--------------------------------------------------------------------------------
1 |
16 |
42 |
45 |
49 |
62 |
63 |
64 |
65 |
--------------------------------------------------------------------------------
/docs/images/vercel.svg:
--------------------------------------------------------------------------------
1 | 
36 |
37 | #### CDN Examples
38 |
39 | 
40 |
41 | #### Cloud hosting providers
42 |
43 | 
44 |
45 | #### Cloud Native Services
46 |
47 | 
38 |
39 | #### Frameworks & libraries
40 |
41 | 
42 |
43 | #### Package managers
44 |
45 | 
46 |
47 | ### Who owns it?
48 |
49 | * Development teams
50 | * DevOps team
51 |
52 | ### What are the security concerns?
53 |
54 | * Knowing what's in your software is the first key
55 | * Source code components are coming from many different sources and used in applications
56 | * Dependency origin for the source code we use is critically important
57 | * Package managers are a primary target for attackers
58 |
59 | ### How do I secure it?
60 |
61 | * Use secure package repositories
62 | * Analysis source code composition
63 | * Software bill of materials
64 |
--------------------------------------------------------------------------------
/docs/DEPLOYMENT.md:
--------------------------------------------------------------------------------
1 | 
34 |
35 | Bamboo, Selenium, Semgrep, SecureStack
36 |
37 | ### Who owns it?
38 |
39 | * CloudOps team
40 | * DevOps team
41 |
42 | ### What are the security concerns?
43 |
44 | * Are disposable build environments secure?
45 | * Are components being used during CI/CD known good?
46 | * Security scans are automated as part of the deployment process
47 |
48 | ### How do I secure it?
49 |
50 | * Dynamic application security testing
51 | * Static analysis security testing
52 |
--------------------------------------------------------------------------------
/docs/DNS.md:
--------------------------------------------------------------------------------
1 | 
53 |
54 | #### VCS Tools
55 |
56 | 
57 |
58 | #### Local tests
59 |
60 | Linting, static analysis, software composition analysis
61 |
62 |
63 |
64 | ## Source Code
65 |
66 | This includes any software that is needed to successfully write, build or deploy an application.
67 |
68 | ### What's in scope?
69 |
70 | * Programming languages
71 | * Frameworks
72 | * Libraries
73 | * Open source components
74 | * Proprietary code
75 |
76 | ### Examples
77 |
78 | #### Programming Languages
79 |
80 | 
100 |
101 | ## Continuous deployment
102 |
103 | Continuous delivery is an extension of continuous integration that automatically deploys all code changes to a testing and/or production environment after the build stage. This means that in addition to automated testing, you have an automated release process, and can deploy your application at any time by clicking a button.
104 |
105 | ### What's in scope?
106 |
107 | * Build servers
108 | * Deployment platforms
109 | * Security tests
110 | * Functional tests
111 |
112 | ### Examples
113 |
114 | 
139 |
140 | #### Webservers
141 |
142 | 
143 |
144 | #### Application servers
145 |
146 | 
147 |
148 | #### Content management systems
149 |
150 | 
151 |
152 | Clarity, Kentico, Sharepoint, Adobe Experience Manager
153 |
154 | #### Web runtime
155 |
156 | Node.js, WebKit, Chrome, V8
157 |
158 | #### Databases
159 |
160 | 
161 |
162 | #### Containers, AMIs & Golden Images
163 |
164 | 
165 |
166 |
167 |
168 | ## Hardware
169 |
170 | This includes any specific or customized piece of hardware for this application to run.
171 |
172 | ### What's in scope?
173 |
174 | * Proprietary devices
175 | * Dedicated servers
176 |
177 | ### Examples
178 |
179 | Embedded devices, custom PCBs, GPUs
180 |
181 |
182 |
183 | ## DNS
184 |
185 | This includes any hostnames, or other DNS entries that any application needs.
186 |
187 | ### What's in scope?
188 |
189 | * DNS
190 |
191 | ### Examples
192 |
193 | app.example.org
194 |
195 |
196 |
197 | ## Services
198 |
199 | This refers to the process of identifying and describing the external services that a application relies on in order to function properly. These third-party services can include anything from authentication and authorization services to payment processing and analytics tools.
200 |
201 | ### What's in scope?
202 |
203 | * third party SaaS solutions
204 | * third party APIs or data
205 | * payment processors/gateways
206 | * identity providers
207 | * analytics & tracking
208 |
209 | ### Examples
210 |
211 | #### Payment gateways & processors
212 |
213 | 
214 |
215 | #### SaaS solutions examples
216 |
217 | 
218 |
219 | #### Analytics & tracking examples
220 |
221 | 
222 |
223 |
224 |
225 | ## Cloud resources
226 |
227 | Cloud native resources refer to the tools, technologies, and infrastructure required to develop, deploy, and manage applications that are designed to run in a cloud environment. These resources typically include containerization platforms, orchestration frameworks, serverless computing, and other cloud-specific technologies.
228 |
229 | ### What's in scope?
230 |
231 | * PaaS
232 | * CDN
233 | * Cloud hosting providers
234 | * Cloud native resources
235 |
236 | ### Examples
237 |
238 | #### PaaS Examples
239 |
240 | 